Use DNS to Validate Domain Ownership

Before the Amazon certificate authority (CA) can issue a certificate for your site,
AWS Certificate Manager (ACM) must verify that you own or control all of the domain
names that you
specified in your request. You can choose either email validation or DNS validation
when you
request a certificate. This topic discusses DNS validation. For information about
email
validation, see Use Email to Validate Domain Ownership.

Note

Validation applies only to certificates provided by AWS Certificate Manager (ACM).
ACM does not
validate domain ownership for imported
certificates.

The Domain Name System (DNS) is a directory service for resources connected to a network.
On the internet, DNS servers are used primarily to translate from domain names to
the
numerical IP addresses that identify and locate resources such as computers and
other
devices. The databases on DNS servers contain domain records that are used for this
translation and to enable other functionality. For example, A records are a type
of DNS
record used to map domain names to IPV4 addresses. MX records are used to route
email. NS
records list all of the name servers for the domain.

ACM uses CNAME (Canonical Name) records to validate that you own or control a domain.
When you choose DNS validation, ACM provides you one or more CNAME records to insert
into
your DNS database. For example, if you request a certificate for the
example.com domain with www.example.com as an additional name,
ACM creates two CNAME records for you. Each record, created specifically for your
domain
and your account, contains a name and a value. The value is an alias that points
to a domain
that ACM owns and which ACM uses to automatically renew your certificate. You add
the
CNAME records to your DNS database only once. ACM automatically renews your certificate
as
long as the certificate is in use and your CNAME record remains in place. In addition,
if
you use Amazon Route 53 to create your domain, ACM can write the CNAME records for
you.

The following table shows example CNAME records for five domain names. The
_x values are long random strings generated by ACM. For
example _3639ac514e785e898d2646601fa951d5.example.com is representative of a
generated name. Note that the first two _x values in the table
are the same. That is, the random string created by ACM for the wildcard name
*.example.com is the same as that created for the base domain name
example.com. Note also that ACM creates different CNAME records for
example.com and www.example.com.

If you see an expand arrow (↗) in the upper-right corner of the table, you can open the table in a new
window. To close the window, choose the close button (X) in the lower-right corner.

Domain name

DNS zone

Name

Type

Value

*.example.com

example.com

_x1.example.com

CNAME

_x2.acm-validations.aws

example.com

example.com

_x1.example.com

CNAME

_x2.acm-validations.aws

www.example.com

example.com

_x3.www.example.com

CNAME

_x4.acm-validations.aws

host.example.com

example.com

_x5.host.example.com

CNAME

_x6.acm-validations.aws

subdomain.example.com

subdomain.example.com

_x7.subdomain.example.com

CNAME

_x8.acm-validations.aws

host.subdomain.example.com

subdomain.example.com

_x9.host.subdomain.example.com

CNAME

_x10.acm-validations.aws

DNS validation has a number of advantages over email validation:

DNS requires that you create only one CNAME record per domain name when you
request an ACM Certificate. Email validation sends up to eight email messages
per
domain name.

You can request additional ACM Certificates for your FQDN for as long as the DNS
record remains in place. That is, you can create multiple certificates that have
the
same domain name. You do not need to get a new CNAME record. There are many reasons
to do this. You might, for example, want new certificates that cover different
subdomains. You might want to create the same certificate in multiple regions
(the
validation token works for any region). You might want to replace a certificate
that
you deleted.

ACM automatically renews ACM Certificates that you validated by using DNS.
ACM renews each certificate before it expires as long as the certificate is in
use
and the DNS record is in place.

ACM can add the CNAME record for you if you use Route 53 to manage your public DNS
records.
If you do not use Route 53 as your DNS provider, contact your DNS provider to
find out
how to add records.

You can more easily automate the DNS validation process than you can the email
validation process.

Note however that you may be required to use email validation if you do not have
permission to modify the DNS records for your domain.

To use DNS validation:

Sign into the AWS Management Console and open the ACM console at https://console.aws.amazon.com/acm/home. If the
introductory page appears, choose Get Started. Otherwise,
choose Request a certificate.

To add more domain names to the ACM Certificate, type other names as text boxes
open beneath the name you just typed.

Choose Next.

Choose DNS validation.

Choose Review and request. Verify that the domain name and
validation method are correct.

Choose Confirm and request.

On the Validation page, expand your domain information or
choose Export DNS configuration to a file. If you expand your
domain information, ACM displays the name and value of the CNAME record you must
add to your DNS database to validate that you control the domain.

The Create record in Route 53 button appears if the following
conditions are true:

You use Route 53 as your DNS provider.

You have permission to write to the Route 53, hosted zone.

Your FQDN has not already been validated.

If your FQDN has already been validated or if you don't have permission to write
to the Route 53 hosted zone for the domain name you are requesting, the
Create record in Route 53 button will appear disabled. For
more information about Route 53 record sets, see Working with Resource Record
Sets.

Note

Currently, you cannot programmatically request that ACM automatically create
your record in Route 53. You can, however, make a AWS CLI or API call to Route 53
to
create the
record.

Add the record from the console or the exported file to your database. For more
information about adding DNS records, see Adding a CNAME to Your Database. You can choose Continue to
skip this step. You can return to it later by opening the certificate request
in the
console.

Note

If your FQDN was validated when you requested a previous certificate and you
are requesting another certificate for the same FQDN, you do not need to add
another DNS record.

Note

Adding a CNAME record that contains a domain name (such as
.example.com) might result in
duplication of the domain name (such as
.example.com.example.com). To avoid
duplication, you can manually copy only the part of the CNAME that you need.
This would be of the form
_3639ac514e785e898d2646601fa951d5.

After updating your DNS configuration, choose Continue. ACM
displays a table view that includes all of your certificates. The certificate
you
requested and its status is displayed. After your DNS provider propagates your
record update, it can take up to several hours for ACM to validate the domain
name
and issue the certificate. During this time, ACM shows the validation status as
Pending validation. After validating the domain name, ACM
changes the validation status to Success. After AWS issues
the certificate, ACM changes the certificate status to
Issued.

Note

If ACM is not able to validate the domain name within 72 hours from the
time it generates a CNAME value for you, ACM changes the certificate status to
Validation timed out. The most likely reason for this
result is that you did not update your DNS configuration with the value that
ACM generated. To remedy this issue, you must request a new certificate.

Adding a CNAME to Your Database

To use DNS validation, you must be able to add a CNAME record to the DNS configuration
for your domain. If Route 53 is not your DNS provider, contact your provider to
find out
how to add records. If Route 53 is your provider, ACM can create the CNAME record
for you
as discussed previously in step 9. If you want to add the record yourself, see
Editing Resource Record
Sets in the Route 53 Developer Guide.

If you do not have permission to edit your DNS configuration, you must use email
validation.

Deleting a CNAME from Your Database

ACM automatically renews your certificate for as long as the certificate is in use
and the CNAME record that ACM created for you remains in place in your DNS database.
You can stop automatic renewal by removing the certificate from the AWS service
with
which it is associated or by deleting the CNAME record. If Route 53 is not your
DNS
provider, contact your provider to find out how to delete the record. If Route 53
is your
provider, see Deleting
Resource Record Sets in the Route 53 Developer Guide. For
more information about managed certificate renewal, see Managed Renewal for ACM's Amazon-Issued
Certificates.

Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's
Help pages for instructions.